Add to collection(s) Add to saved
  1. Social Science
  2. Psychology
  3. Social Psychology

vuw victoria - Victoria University of Wellington

advertisement 
T E W H A R E W Ā N A N G A O T E Ū P O K O O T E I K A A M Ā U I
VUW V I C T O R I A
UNIVERSITY OF WELLINGTON
EXAMINATIONS — 2011
END OF YEAR
NWEN 405
Security Engineering
Time Allowed: 2 Hours
Instructions:
Read each question carefully before attempting it.
This examination will be marked out of 60 marks.
Answer all three questions.
You may answer the questions in any order.
identify the question you are answering.
Make sure you clearly
Only printed foreign/English dictionaries are permitted.
NWEN 405
Question
Topic
Marks
1
2
3
Security in the Real World
20 marks
Secure Software Engineering 20 marks
Secure Networks
20 marks
continued...
Question 1. Security in the Real World
[20 marks]
(a) [10 marks] During a work meeting at Goliath National Bank, one of your colleagues
claims that only stupid people fall for phishing scams. Drawing upon what is known about
cognitive and social psychology, write a counter-argument to his claim.
Lots of reasons to suggest that both cognitive biases and social psychology
have a large role to play in why people fall for phishing scams.
Cognitive psychology: we are bad at juding risk and risk of giving your password is unknown making it particularly hard to accurately measure the risk,
people aare subject to information overload making them vulnerable to attacks that seem to follow the strongest rule for safe behaviour (ie use an url
with https that points to an address with the incorrect but similar name to
the bank), emotional processing takes over when people are uncertain and
this can be exploited by making an emotional appeal/applying time pressure
and finally fundamental attribution error means that we are likely to ignore
warning signs because we already trust the bank.
Social psychology: people respond to authority (bank requesting email, Milgram’s experiement), people follow through because people don’t like holding conflicting views so will persist in scam.
This is an open question. Looking for a discussion of the above issues. Extra
weight given to answers that actually manage to reference Milgram. Less
worried about whether they classify under the right heading, rather that they
understand that there are well-known reasons for people acting the way that
they do.
(b) [10 marks] With respect to both physical assets and physical protective measures, what
are arguments in favour of and against the claim obscurity provides security? Your discussion
should draw upon appropriate theories and experimental evidence.
1. Hide the assets. Good against casual/opportunistic attacker but that’s about
all because most others can predict where assets are likely to be hidden or just
watch you.
2. Visible deterrence. Example of silent burglar alarms actually lowering the
number if attacks. Perhaps not so great against professional attackers. Would
expect description of experiment. Work by Levy on LoJack system.
3. Defensible spaces. Work by Jeffery, suggest visible protective measures
don’t help even against opportunistic criminals. Attackers just bypass them
and measures such as bright lights etc actually create spaces where attackers
can hide and launch attacks from. Need to go further and look at motivations/opportunity etc. to really understand the problem.
Question 2. Secure Software Engineering
[20 marks]
(a) [10 marks] Consider a web application written in C++ that accepts user input via a form
and uses it to construct a SQL query. Explain what vulnerabilities should be mitigated in
NWEN 405
2
continued...
this web application, which general secure design principles are being violated and outline
one or more mitigation strategies.
Specific vulnerabilities:
Incorrect or incomplete input validation. No control over input but pass it
directly to another program where it could be turned into code!
Potentially buffer overruns if not doing bounds checking.
SQL injection. Specific example of the two cases above.
Design principles:
Respect the chain of trust. Inputs can be treated as code and these are not under your control so in effect your are delegating privilege to untrusted code.
Respect least privilege. Give minimal privilege to the code executing the SQL
query. Reduces the damage done should the inputs cause the execution of
arbitrary code or actions with respect to the database.
Mitigation strategies:
Use whitelists to check the inputs.
Check for buffer overruns in the code processing the inputs.
Minimal trust for code interpreting the SQL instructions. Use operating system level controls here.
(b) [10 marks] Consider the relationship between risk modelling (threat modelling in the
Microsoft software development lifecycle) and secure software evaluation. In particular,
discuss what is risk modelling, what are the limitations of functional tests with respect to
security testing, how risk modelling help in the choice of security-relevant tests and how
risk modelling can be used to determine how you choose mitigation strategies for security
bugs found during testing.
Risk modelling identifies threats that are relevant to a particular application
can assesses their relative impact and liklihood. Mitigations can then be chosen based upon the overall risk associated with the identified threats.
Functionality testing will only reveal problems related to normal user behaviour. They are positive in nature. Doesn’t test extreme behaviour where
attackers acts in ways that a normal user would never behave.
Risk modelling will uncover potential mitigations against negative behaviour
by attackers. Can formulate functional tests that check that the mitigation do
get used.
Risk modelling will also uncover dependencies. Can use this to help devise
positive tests that determine what will happen if a component fails that another compnent is relying upon.
Once security problems are identified, the risk modelling can incorporate
these and an assessment made of the liklihood of the risk itself. This can
be used to prioritise which security bugs should be addressed.
NWEN 405
3
continued...
Question 3. Secure Networks
[20 marks]
(a) [10 marks] Outline four examples of different denial-of-service attacks based upon amplification techniques at the network and application layer. For each example, explain the
vulnerability being exploited, the type of amplification that results and possible mitigations for the attack. Make sure you include at least one example of both impact and traffic
amplification.
Smurf attack. ICMP requests with forged IP address sent to broadcast address. Everyone on network replies causing traffic amplification due to the
sheer number of hosts replying. Mitigated by turning off broadcast and stopping requests at the gateway.
DNS attack. UDP request to DNS server misconfigured to respond to recursive requests from arbitrary clients. Query for a large name record sent (with
spoofed IP address) to many DNS servers. Traffic amplication because small
request packet receives very large reply packet. Mitigated by only allowing
authenticated clients to make queries.
Web application attack. Impact amplification. Provide very complex query.
Rate limitation might be the only way to mitigate. Traffic amplification also
possible, for example downloading exteremely large files. Again quotas might
be the only approach although IP spoofing makes this difficult to effectively
encforce.
(b) [10 marks] Consider misuse (also known as signature-detection) and anomaly-detection
network intrusion detection systems. In particular, discuss how these compare in terms of
false positive rates, what effect does the stability of the environment into which they are
deployed have upon their accuracy, how these compare in terms of performance as time
goes on and how they compare in terms of allowing the type of attack to be determined.
False positive. Traditionally, signature-based has low false positives and false
negatives for known threats but vulnerable to unknown threats and polymorphic viruses, and anomaly-based has high false positives for all threats.
Stability. Signature-based relies upon knowledge of known threats, this is
independent of the environment into which they are deployed so stability
has no effect upon accuracy. Anomaly-based relies upon building up a model
of normal behaviour, this is hard to do in a chaotic environment leading to
higher false positives than a more stable environment.
Performance. Signature-based performance drops as the number of signatures grow, making matching slower, therefore we might expect performance
to get worse over time. Anomaly-based performance is tied to how fast it can
do the comparison between the model and the baseline model so we might
expect performance to stay constant.
Attack diagnosis. Signatures exist for particular attacks so easily diagnose the
type of attack. Anomaly detection, anomalous behaviour might be caused by
a number of different attacks and so harder to determine exactly what the
cause might be.
NWEN 405
4
********************************
NWEN 405
5
continued...
Related documents
Example Biological Level of Analysis Test
Example Biological Level of Analysis Test
Quiz-Input/Output/Processing
Quiz-Input/Output/Processing
ADVANCED LEVEL IN ECONOMICS FIRST YEAR Market
ADVANCED LEVEL IN ECONOMICS FIRST YEAR Market
I ) Match the following words with their correct meanings :
I ) Match the following words with their correct meanings :
Business Portfolio Assignment
Business Portfolio Assignment
Unit 1: Square Root – PRETEST
Unit 1: Square Root – PRETEST
Explain how human activities on a floodplain can increase the
Explain how human activities on a floodplain can increase the
Linear system culminating
Linear system culminating
Chapter 9 – Solution Chemistry
Chapter 9 – Solution Chemistry
Drawing a Cubist portrait in coloured pencil
Drawing a Cubist portrait in coloured pencil
Download
advertisement